Cybersecurity News

Undefined Roles, Responsibilities For Medical Device Security Heighten Risks

Organizations are struggling to define security roles and responsibilities, even as IoT and medical device security concerns continue to grow, Cynerio and the Ponemon Institute found.

Undefined Roles, Responsibilities For Medical Device Security Create Heightened Risks

Source: Getty Images

By Jill McKeon

- Nearly 80 percent of 517 survey respondents did not consider their organization’s IoT and IoMT cybersecurity activities to be mature, research conducted by Cynerio and the Ponemon Institute revealed.

Despite the lack of mature security controls, nearly half of surveyed respondents said that their organization had experienced attacks on medical devices that led to patient data being stolen, and 56 percent said that the attacks led to an inability to provide patient care. Additionally, 26 percent of respondents said that the attacks led to patients being inappropriately tested.

What’s more, 53 percent of respondents whose organizations faced an adverse impact on patient care due to a cyberattack reported increased mortalities as a result of the attack.

The results showed a significant disconnect within the industry. IoT and medical device security risks are widely known, but organizations are still neglecting to prioritize and assume responsibility for these risks.

“Fueled by lagging security practices and failures measured in fatalities rather than fiscal loss, nation-states, ransomware gangs and other groups have identified an industry that presents low levels of cyber protection paired with multiple revenue channels,” the report stated.

“In nearly any other industry such results would be akin to an act of war, but everyday interactions with mortality have contributed to a more conservative approach to addressing the threats introduced by unprotected technology, namely IoT and IoMT devices.”

Medical device security concerns have long been a source of stress for healthcare cybersecurity experts. Lack of visibility, the proliferation of legacy medical devices, and an ever-changing cyber threat landscape have raised legitimate concerns. As healthcare continues to face cyberattacks every day, experts justifiably fear that threat actors will increasingly turn to IoT devices as a network entry point.

“One reason for lagging security practices is clear — there is no widely accepted ownership,” the report noted.

“When asked who is primarily responsible for ensuring the security of these risky devices, not one role received more than 18 [percent] of responses.”

Specifically, 18 percent of respondents pointed to the CIO or CTO as being the party most responsible for IoT and IoMT device security, followed by operations leadership at 14 percent, CISO at 14 percent, and network leadership at 11 percent.

Additionally, 54 percent of respondents said that senior management did not require assurances that medical device risks were properly monitored, assessed, or managed. 

“Not only are there no clearly agreed upon stakeholders for protecting the thousands of connected devices in most environments, but the list hits numerous departments from BioMedical Engineers to CEOs and nearly everyone in between,” the report said.

“Given that many of these devices are nearly a decade old, it is clear that better practices regarding ownership and responsibility need to be better defined and implemented.”

In addition to a lack of clarity surrounding roles and responsibilities, surveyed organizations’ investments (or lack thereof) in medical device security similarly underscored the sector’s need to further prioritize security.

The average respondent reported spending just 3.4 percent of their overall IT budget on securing IoT and IoMT devices.

“While this is clearly not sufficient, particularly when considering that these devices often make up half of the device volume in a hospital, it does give the low bar that providers should at least be hitting when investing in their IoT/IoMT security practices,” the report noted.

A serious hacking incident on one of the organization’s medical devices, new regulations, and concerns over relationships with clinicians and other third parties were the top three reported reasons why the respondents might consider increasing their IoT and medical device security budget.

“What does the healthcare industry do with this information?,” the report questioned.

There is not just one right answer, but researchers suggested that organizations start by allocating more of their budget and time toward IoT and IoMT security.

“New approaches must be investigated that scale all aspects of securing these devices — automated inventory, discovery of unmanaged devices, improved defense in depth at the device, network and environment levels, and a clear understanding of who owns responsibility, action and accountability for the widespread medical marvels of IoT/ IoMT to ensure devices are not doing more harm than good,” the report explained.